In this post, we’re going to talk about ‘security.txt’:
- what is it
- what are the benefits
- the downsides
- how you can easily create your own ‘security.txt’ file
- how to make the best of it if you’re a pentester or bounty hunter
So if you wanna learn about ‘security.txt’, or you wanna know more about it, this post is for you.
Want to watch a video to supplement your reading? Check this out:
What exactly is a ‘security.txt’ file?
It is a proposed standard that allows websites to define security policies and sets clear guidelines for security researchers on how to report security issues.
You can think of it as the equivalent of ‘robots.txt’ or ‘ads.txt’, but for security issues.
And you may ask, but why do we need this in the first place?
This is a valid question.
Every year, security researchers identify thousands of new vulnerabilities and misconfigurations and they most of the time want to report them so the company or developer can fix them.
And here comes the fun part.
To report the problem you have to first find the right person to report it to.
You don’t want to report security issues to sales or customer support because they wouldn’t know what to do with them.
So having clear guidelines to where to report the issues is of tremendous help for pentesters, bounty hunters, and security researchers.
Even though this standard was first proposed in 2017, it is still in the final stages as an Internet draft.
However, it has already been adopted by major companies such as Google, Facebook, GitHub, LinkedIn, Dropbox, and is being recommended for use throughout U.S and U.K government agencies as well.
Let’s take Adobe’s ‘security.txt’ file as an example:
Here we have all the things we need to properly report a security issue.
We know who to contact, their preferred languages, their security policy, the PGP or Pretty Good Privacy signature for secure communication, and so on.
So as you can see, having a ‘security.txt’ file greatly simplifies the process of reporting a security vulnerability because you know who you need to report to and what guidelines you need to follow for your report to be valid.
The Structure
Now let’s have a look at the structure of this file.
First of all, let’s check out the URL.
We can see that the file is placed under the /.well-known directory but it can also be placed at the root directory of a website or even in both locations at the same time.
Now let’s have a look at the contents.
The ‘security.txt’ file is formatted as lines of key-value pairs separated by colons, where the key is a field name.
And there are currently 8 fields defined:
- Acknowledgments are links to a webpage where people can be recognized for their reports
- Canonical lists the canonical URI of the security.txt file and it can be useful when someone obtains the security.txt file through means other than directly accessing that location
- Contact is a required field that provides information on where to report vulnerabilities, such as an email address, a phone number, or a web page with contact information
You can have more than one Contact field if you need to. - Encryption locates an encryption key that should be used for secure communication when reporting security issues
- Expires is also a required field that indicates when the data in the file should be considered stale and no longer used.
The date can be as far in the future as you wish but it’s recommended to be less than a year into the future - Hiring are links to a webpage on security-related job positions at the organization
- Policy provides the location of the organization’s vulnerability disclosure policy
- Preferred-Languages enumerates the languages that the organization would prefer used when submitting security reports
One more thing, the security.txt file should have an Internet Media Type of text/plain and must be served over HTTPS.
Easily create your own ‘security.txt’ file
Now that we’re familiar with the purpose and structure of the security.txt file, let’s see how we can easily create one for ourselves.
Of course, you can go ahead and right-click create a new file, add some content and call it a day, but if you want to adopt this proposed standard you should take into account its rules.
So to make this job easier, go to securitytxt.org and generate your own standard-compliant content.
There you’ll find an easy-to-complete form with all the fields that are currently available.
When you’ve finished completing the desired fields, press the generate button and then just copy and paste the content into your security.txt file.
That’s all!
Find targets for ethical hacking
Next up I want to show you a nice way to take advantage of the ‘security.txt’ file if you’re doing bug bounties.
Go to your favorite search engine, mine happens to be Brave Search, and search for the following query:
"security.txt" filetype:txt
This is going to find all the websites that have the ‘security.txt’ file.
So now you have many targets that a lot of people don’t know about or that a lot of hackers don’t focus their attention on.
I think this can be a nice addition to your hacking tools and I hope it will bring you great rewards.
Disadvantages of using ‘security.txt’
Now that we’ve talked about the benefits of the ‘security.txt’ file let’s turn the page and talk about its disadvantages.
Every downside I’m gonna mention has already been described in the official documentation.
Okay so the first downside people complain about is the spam and useless reports they receive shortly after the ‘security.txt’ file has been made public.
This is because there are a lot of script kiddies that are sending automated reports, most of them being close to useless and if you want to have a conversation with such people, you’ll find that it’s just a waste of time because they have no idea how to help you fix a security issue.
So you’ll probably end up hating yourself for adding the ‘security.txt’ file.
But this shouldn’t be the case because you can mitigate the spam by implementing e-mail filters which will reduce the number of spam e-mails you’re gonna receive.
Another downside would be that most people who see that you have a ‘security.txt’ would assume that your organization is providing permission to do security testing against your services or products.
This might result in increased testing against your organization’s infrastructure that can lead to certain problems.
But on the other hand, if you don’t have a ‘security.txt’ people would assume your organization doesn’t accept security reports.
So to avoid confusion, make sure to add your company’s vulnerability disclosure policy as mentioned earlier.
One last disadvantage I’m gonna mention is compromised files and incident response.
An attacker that has compromised a website is able to compromise the ‘security.txt’ file as well.
This can result in security reports not being received by the organization or even worse, they could be sent to the attacker instead.
To protect against this, you should use the Canonical field to indicate the locations of the file, digitally sign the file and do a check-up on the file from time to time to detect tampering.
Conclusions
That’s all I had to say about the ‘security.txt’ file.
If I missed something, please do let me know in the comments section and also let me know if you already have a ‘security.txt’ for your website or if you’re going to create one in the future.
I hope the information I’ve shared in this post has helped you better understand what ‘security.txt’ is and how we can use it to our advantage to report security issues.
And for the bug hunters out there, this file can make your job easier when it comes to finding potential targets to reap some juicy rewards.
Let me know what you think about this article in the comments section below.
If you find this article helpful, please share it with others and subscribe to the blog to support me, and receive a bi-monthly-ish e-mail notification on my latest articles.